Search in sources :

Example 1 with UGIAssumingTransportFactory

use of org.apache.accumulo.core.rpc.UGIAssumingTransportFactory in project accumulo by apache.

the class TServerUtils method createSaslThreadPoolServer.

public static ServerAddress createSaslThreadPoolServer(HostAndPort address, TProcessor processor, TProtocolFactory protocolFactory, long socketTimeout, SaslServerConnectionParams params, final String serverName, String threadName, final int numThreads, final int numSTThreads, long timeBetweenThreadChecks) throws TTransportException {
    // We'd really prefer to use THsHaServer (or similar) to avoid 1 RPC == 1 Thread that the TThreadPoolServer does,
    // but sadly this isn't the case. Because TSaslTransport needs to issue a handshake when it open()'s which will fail
    // when the server does an accept() to (presumably) wake up the eventing system.
    log.info("Creating SASL thread pool thrift server on listening on {}:{}", address.getHost(), address.getPort());
    TServerSocket transport = new TServerSocket(address.getPort(), (int) socketTimeout);
    String hostname, fqdn;
    try {
        hostname = InetAddress.getByName(address.getHost()).getCanonicalHostName();
        fqdn = InetAddress.getLocalHost().getCanonicalHostName();
    } catch (UnknownHostException e) {
        transport.close();
        throw new TTransportException(e);
    }
    // If we can't get a real hostname from the provided host test, use the hostname from DNS for localhost
    if ("0.0.0.0".equals(hostname)) {
        hostname = fqdn;
    }
    // their configuration.
    if (!hostname.equals(fqdn)) {
        log.error("Expected hostname of '{}' but got '{}'. Ensure the entries in the Accumulo hosts files (e.g. masters, tservers) are the FQDN for each host when using SASL.", fqdn, hostname);
        transport.close();
        throw new RuntimeException("SASL requires that the address the thrift server listens on is the same as the FQDN for this host");
    }
    final UserGroupInformation serverUser;
    try {
        serverUser = UserGroupInformation.getLoginUser();
    } catch (IOException e) {
        transport.close();
        throw new TTransportException(e);
    }
    log.debug("Logged in as {}, creating TSaslServerTransport factory with {}/{}", serverUser, params.getKerberosServerPrimary(), hostname);
    // Make the SASL transport factory with the instance and primary from the kerberos server principal, SASL properties
    // and the SASL callback handler from Hadoop to ensure authorization ID is the authentication ID. Despite the 'protocol' argument seeming to be useless, it
    // *must* be the primary of the server.
    TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();
    saslTransportFactory.addServerDefinition(ThriftUtil.GSSAPI, params.getKerberosServerPrimary(), hostname, params.getSaslProperties(), new SaslRpcServer.SaslGssCallbackHandler());
    if (null != params.getSecretManager()) {
        log.info("Adding DIGEST-MD5 server definition for delegation tokens");
        saslTransportFactory.addServerDefinition(ThriftUtil.DIGEST_MD5, params.getKerberosServerPrimary(), hostname, params.getSaslProperties(), new SaslServerDigestCallbackHandler(params.getSecretManager()));
    } else {
        log.info("SecretManager is null, not adding support for delegation token authentication");
    }
    // Make sure the TTransportFactory is performing a UGI.doAs
    TTransportFactory ugiTransportFactory = new UGIAssumingTransportFactory(saslTransportFactory, serverUser);
    if (address.getPort() == 0) {
        // If we chose a port dynamically, make a new use it (along with the proper hostname)
        address = HostAndPort.fromParts(address.getHost(), transport.getServerSocket().getLocalPort());
        log.info("SASL thrift server bound on {}", address);
    }
    ThreadPoolExecutor pool = createSelfResizingThreadPool(serverName, numThreads, numSTThreads, timeBetweenThreadChecks);
    final TThreadPoolServer server = createTThreadPoolServer(transport, processor, ugiTransportFactory, protocolFactory, pool);
    return new ServerAddress(server, address);
}
Also used : SaslRpcServer(org.apache.hadoop.security.SaslRpcServer) UnknownHostException(java.net.UnknownHostException) TTransportException(org.apache.thrift.transport.TTransportException) LoggerFactory(org.slf4j.LoggerFactory) UGIAssumingTransportFactory(org.apache.accumulo.core.rpc.UGIAssumingTransportFactory) TSSLTransportFactory(org.apache.thrift.transport.TSSLTransportFactory) TProtocolFactory(org.apache.thrift.protocol.TProtocolFactory) TProcessorFactory(org.apache.thrift.TProcessorFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) IOException(java.io.IOException) TTransportFactory(org.apache.thrift.transport.TTransportFactory) TServerSocket(org.apache.thrift.transport.TServerSocket) UGIAssumingTransportFactory(org.apache.accumulo.core.rpc.UGIAssumingTransportFactory) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) ThreadPoolExecutor(java.util.concurrent.ThreadPoolExecutor) TThreadPoolServer(org.apache.thrift.server.TThreadPoolServer) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 2 with UGIAssumingTransportFactory

use of org.apache.accumulo.core.rpc.UGIAssumingTransportFactory in project accumulo by apache.

the class TServerUtils method createSaslThreadPoolServer.

public static ServerAddress createSaslThreadPoolServer(HostAndPort address, TProcessor processor, TProtocolFactory protocolFactory, long socketTimeout, SaslServerConnectionParams params, final String serverName, final int numThreads, final long threadTimeOut, final AccumuloConfiguration conf, long timeBetweenThreadChecks) throws TTransportException {
    // We'd really prefer to use THsHaServer (or similar) to avoid 1 RPC == 1 Thread that the
    // TThreadPoolServer does,
    // but sadly this isn't the case. Because TSaslTransport needs to issue a handshake when it
    // open()'s which will fail
    // when the server does an accept() to (presumably) wake up the eventing system.
    log.info("Creating SASL thread pool thrift server on listening on {}:{}", address.getHost(), address.getPort());
    InetSocketAddress isa = new InetSocketAddress(address.getHost(), address.getPort());
    // Must use an ISA, providing only a port would ignore the hostname given
    TServerSocket transport = new TServerSocket(isa, (int) socketTimeout);
    String hostname, fqdn;
    try {
        hostname = InetAddress.getByName(address.getHost()).getCanonicalHostName();
        fqdn = InetAddress.getLocalHost().getCanonicalHostName();
    } catch (UnknownHostException e) {
        transport.close();
        throw new TTransportException(e);
    }
    // localhost
    if ("0.0.0.0".equals(hostname)) {
        hostname = fqdn;
    }
    // their configuration.
    if (!hostname.equals(fqdn)) {
        log.error("Expected hostname of '{}' but got '{}'. Ensure the entries in" + " the Accumulo hosts files (e.g. managers, tservers) are the FQDN for" + " each host when using SASL.", fqdn, hostname);
        transport.close();
        throw new RuntimeException("SASL requires that the address the thrift" + " server listens on is the same as the FQDN for this host");
    }
    final UserGroupInformation serverUser;
    try {
        serverUser = UserGroupInformation.getLoginUser();
    } catch (IOException e) {
        transport.close();
        throw new TTransportException(e);
    }
    log.debug("Logged in as {}, creating TSaslServerTransport factory with {}/{}", serverUser, params.getKerberosServerPrimary(), hostname);
    // Make the SASL transport factory with the instance and primary from the kerberos server
    // principal, SASL properties
    // and the SASL callback handler from Hadoop to ensure authorization ID is the authentication
    // ID. Despite the 'protocol' argument seeming to be useless, it
    // *must* be the primary of the server.
    TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();
    saslTransportFactory.addServerDefinition(ThriftUtil.GSSAPI, params.getKerberosServerPrimary(), hostname, params.getSaslProperties(), new SaslRpcServer.SaslGssCallbackHandler());
    if (params.getSecretManager() != null) {
        log.info("Adding DIGEST-MD5 server definition for delegation tokens");
        saslTransportFactory.addServerDefinition(ThriftUtil.DIGEST_MD5, params.getKerberosServerPrimary(), hostname, params.getSaslProperties(), new SaslServerDigestCallbackHandler(params.getSecretManager()));
    } else {
        log.info("SecretManager is null, not adding support for delegation token authentication");
    }
    // Make sure the TTransportFactory is performing a UGI.doAs
    TTransportFactory ugiTransportFactory = new UGIAssumingTransportFactory(saslTransportFactory, serverUser);
    if (address.getPort() == 0) {
        // If we chose a port dynamically, make a new use it (along with the proper hostname)
        address = HostAndPort.fromParts(address.getHost(), transport.getServerSocket().getLocalPort());
        log.info("SASL thrift server bound on {}", address);
    }
    ThreadPoolExecutor pool = createSelfResizingThreadPool(serverName, numThreads, threadTimeOut, conf, timeBetweenThreadChecks);
    final TThreadPoolServer server = createTThreadPoolServer(transport, processor, ugiTransportFactory, protocolFactory, pool);
    return new ServerAddress(server, address);
}
Also used : SaslRpcServer(org.apache.hadoop.security.SaslRpcServer) UnknownHostException(java.net.UnknownHostException) InetSocketAddress(java.net.InetSocketAddress) TTransportException(org.apache.thrift.transport.TTransportException) LoggerFactory(org.slf4j.LoggerFactory) UGIAssumingTransportFactory(org.apache.accumulo.core.rpc.UGIAssumingTransportFactory) TSSLTransportFactory(org.apache.thrift.transport.TSSLTransportFactory) TProtocolFactory(org.apache.thrift.protocol.TProtocolFactory) TProcessorFactory(org.apache.thrift.TProcessorFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) IOException(java.io.IOException) TTransportFactory(org.apache.thrift.transport.TTransportFactory) TServerSocket(org.apache.thrift.transport.TServerSocket) UGIAssumingTransportFactory(org.apache.accumulo.core.rpc.UGIAssumingTransportFactory) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) ThreadPoolExecutor(java.util.concurrent.ThreadPoolExecutor) TThreadPoolServer(org.apache.thrift.server.TThreadPoolServer) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

IOException (java.io.IOException)2 UnknownHostException (java.net.UnknownHostException)2 ThreadPoolExecutor (java.util.concurrent.ThreadPoolExecutor)2 UGIAssumingTransportFactory (org.apache.accumulo.core.rpc.UGIAssumingTransportFactory)2 SaslRpcServer (org.apache.hadoop.security.SaslRpcServer)2 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2 TProcessorFactory (org.apache.thrift.TProcessorFactory)2 TProtocolFactory (org.apache.thrift.protocol.TProtocolFactory)2 TThreadPoolServer (org.apache.thrift.server.TThreadPoolServer)2 TSSLTransportFactory (org.apache.thrift.transport.TSSLTransportFactory)2 TSaslServerTransport (org.apache.thrift.transport.TSaslServerTransport)2 TServerSocket (org.apache.thrift.transport.TServerSocket)2 TTransportException (org.apache.thrift.transport.TTransportException)2 TTransportFactory (org.apache.thrift.transport.TTransportFactory)2 LoggerFactory (org.slf4j.LoggerFactory)2 InetSocketAddress (java.net.InetSocketAddress)1